XML Injection

Affecting org.codehaus.plexus:plexus-utils artifact, versions [,3.0.24)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.codehaus.plexus:plexus-utils is a collection of various utility classes to ease working with strings, files, command lines, XML and more.

Affected versions of this package are vulnerable to XML Injection. org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This means that text contained in the command string could be interpreted as XML and allow for XML injection.

Remediation

Upgrade org.codehaus.plexus:plexus-utils to version 3.0.24 or higher.

References

CVSS Score

3.1
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:U
Credit
Florian Weimer
CWE
CWE-91
Snyk ID
SNYK-JAVA-ORGCODEHAUSPLEXUS-461102
Disclosed
21 Sep, 2015
Published
06 Sep, 2019